hacking unpacked

Month: June 2015

After my Internship , I had plan to stay in Bangalore for a week. For people who know me I hardly go out alone , problem was going out for lunch so I thought i’ll order food online .

Dazo is a Bangalore based food ordering app. I had a promo code DAZO100 for 100rs off on your first order.

One thing I noticed , no traditional account management (registration or OTP verification). I was curious about “how they manage user information”.

In the meantime got a mail from DAZO with order details, but I never entered the mail. Ohh, the app is using my android(google) account.

Adrenaline rush started in my security nerve.

You can create multiple user in Android Lollipop ,

so created a new user (better not mess up with my google settings).This “New user” provide virtual box like environment, registered with different email,downloaded DAZO , used DAZO100 again and Bang ! .

Had the Chicken for 20 Rs.

DAZO new user acquisition price was rs100 but in my case it was 400+. All you have to do is change the google account from phone setting before placing an order and use DAZO100. Being a tester I have 5,6 gmail and it doesn’t cost anything for creating new.

I came to know that they do verify every order manually and they know about this 😛 but they don’t have any choice , either fix the bug or deliver the food. I am a new user with new email , nothing illegal .

They use all sorts of permissions Device ID,Identity ,WI-FI information and what not.

I had Free food (or paid in 2 figures) for 3 days . I guess now they have fixed it or blocked my phone for code , you can give it a try after all your one email worth INR100.